Thursday, December 30, 2010

Attention all Wordpress bloggers

You need to upgrade Wordpress to fix a critical security bug:

Version 3.0.4 of WordPress, available immediately through the update page in your dashboard or for download here, is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”

I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well.

If you are a security researcher, we’d appreciate you taking a look over this changeset as well to review our update. We’ve given it a lot of thought and review but since this is so core we want as many brains on it as possible. Thanks to Mauro Gentile and Jon Cave (duck_) who discovered and alerted us to these XSS vulnerabilities first.
It seems that if you don't update, Bad Guys can break into your blog.  Probably the best that would could expect is tons of comment spam.


JP said...

Mr. Blogspot User to us Wordpressor's rescue!

I actually updated yesterday, but I had no idea what the update was about.

Thanks for the headsup!

Borepatch said...

It's all part of the service, JP. ;-)

I quite like the hosted service aspect of blogspot, but mostly because I'm a lazy cuss and have enough security updates to chase ...